General Motors (GM) has settled a civil lawsuit with the company for $12.75 million, which accused the automaker of illegally selling the personal information and driving data of hundreds of thousands of OnStar subscribers to third-party data brokers from 2020 to 2024, against California’s privacy, false advertising, and unfair competition laws.
Today, California Attorney General Rob Bonta announced the settlement with the District Attorneys of San Francisco, Los Angeles, Napa, and Sonoma County, and the California Privacy Protection Agency (“CalPrivacy”). “This is the first enforcement action by the state under the data minimization principle of the California Consumer Privacy Act (CCPA).”
What Data Was Collected — and Sold?
GM’s OnStar Smart Driver software monitored driving behavior such as harsh braking, driving late at night, driving above 80 mph, quick acceleration, and the exact GPS position of where these occurred.
GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians to two big data brokers, Verisk Analytics and LexisNexis Risk Solutions. California AG Bonta’s office said such data sales generated nearly $20 million.
The damage came from the fact that the data lacked essential context. A motorist may have had to speed up or slam on the brakes to avoid a road danger or other driver, but the data collected didn’t capture those scenarios — presenting an incomplete picture that might unfairly increase insurance prices.
Hidden Consent and Misleading Enrollment
GM utilized a deceptive enrollment procedure, the FTC argued, requiring consumers to agree to receive safety and maintenance alerts as a condition of enrolling in OnStar Smart Driver, a different and unrelated program. Consumers could only either “accept” or “decline,” and the way the decision was presented to them meant many were ignorant of the features they would lose if they declined.
Nor did GM give a broadly available feature that would let users suppress location data across all vehicles. Where such an option existed, it was defaulted to “off,” and GM did not tell consumers it was available.
So many drivers learned about the problem after they had already been financially harmed. One client, a 65-year-old software firm owner from Seattle, found out the hard way when his insurance costs for his Chevy Bolt EV jumped 21 percent. Later, competitor insurers told him his LexisNexis report was a significant reason.
The Real Life Financial Impact
There were severe repercussions for the drivers involved. A 2024 Insurify investigation indicated that drivers who were detected in LexisNexis Telematics OnDemand reports paid 12% to 21% more on average than drivers who did not have those flags; therefore, a 15% surcharge on a $2,000 yearly full-coverage premium might cost a motorist about $300 more per year.
The FTC’s lawsuit said that GM and OnStar’s activities caused consumers to lose vehicle insurance, be caught off guard by higher rates, and other financial hardship – all based on data collection that consumers were never fully told about.
Settlement Conditions
The settlement compels GM to stop selling driver data to consumer reporting agencies, including data brokers, for five years, and to erase all driving data within 180 days – save for restricted internal uses.
GM also agreed to formally ask Verisk and LexisNexis to erase the data they acquired, and to start a new privacy program that will review vulnerabilities to OnStar data and provide its results to the California DOJ, district attorneys, and CalPrivacy.
“California’s $12.75 million penalty is the largest penalty ever issued in the seven-year history of the California Consumer Privacy Act, and the first time any U.S. authority has imposed a cash penalty on an automaker for selling driving data without consent.
A Regulator’s Design Pattern
California’s move follows prior federal action. Separately, on January 14, 2026, the FTC entered into a 20-year consent decree with GM and OnStar prohibiting the collection or distribution of driver data without affirmative, express authorization — and mandating data reduction, erasure of stored data, and consumer access rights. However, the federal decree did not include a fine.
And GM’s not alone. Hyundai discontinued its Drive Score program after the incident. Kia, Mitsubishi, Subaru, Honda, and Acura are among other car companies that have used similar broker partnerships to make driver data available, although some are more open about their relationships with Verisk and LexisNexis currently.
What Affected Drivers Can Do
Did you own a GM car between 2020 and 2024 with an active OnStar subscription? You may be able to see what data was gathered about you. Affected owners can receive a comprehensive driving data report from LexisNexis and Verisk containing data like acceleration events, braking patterns, and GPS locations collected during that period.
GM said the payment “relates to Smart Driver, a product that we discontinued in 2024,” and that the firm has taken efforts to improve privacy standards going forward.
